Skip to main content

BunkerWeb CVE-2026-61718

| EUVDEUVD-2026-45032 MEDIUM
Improper Authorization (CWE-285)
2026-07-16 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L required (reader-role UI account mandatory); cache deletion yields limited I:L and A:L with no confidentiality breach (C:N) and no scope change (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:16 vuln.today
Analysis Generated
Jul 16, 2026 - 20:16 vuln.today

DescriptionCVE.org

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.

AnalysisAI

Improper authorization in BunkerWeb's web UI middleware allows authenticated reader-role accounts to permanently delete WAF job cache files in versions 1.6.2 through 1.6.11. The BiscuitMiddleware bypass list incorrectly included the /cache/ URL prefix, causing the POST /cache/delete route to skip Biscuit role-based access control and enforce only Flask's @login_required decorator, making write-privileged cache operations accessible to any authenticated user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain reader-role UI credentials
Delivery
Authenticate to BunkerWeb web UI
Exploit
Send POST /cache/delete request
Execution
BiscuitMiddleware skips Biscuit authorization for /cache/ prefix
Persist
Cache files permanently deleted
Impact
WAF blacklists and rules degraded

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid BunkerWeb web UI account with at minimum the reader (non-admin) role - unauthenticated access is not sufficient, as Flask's `@login_required` decorator remains enforced. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L is well-calibrated to the actual impact: network-accessible, low complexity, requiring low-privilege authentication, with limited integrity and availability impact but no confidentiality breach or scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a valid BunkerWeb reader-role UI credential (via phishing, credential stuffing, or insider access) authenticates to the web interface and issues a standard `POST /cache/delete` HTTP request. Because BiscuitMiddleware exempts all `/cache/` paths from role evaluation, the request is processed without any write-privilege check and the targeted job cache files are permanently deleted. …
Remediation Upgrade BunkerWeb to version 1.6.12, which is the vendor-released patch that removes `/cache/` from the BiscuitMiddleware bypass list and enforces full role-based authorization on all cache routes. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy